Skip to content

add key attestations #389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 65 commits into from
Nov 19, 2024
Merged

add key attestations #389

merged 65 commits into from
Nov 19, 2024

Conversation

@paulbastian
Copy link
Contributor

@paulbastian paulbastian commented Sep 6, 2024
edited
Loading

Closes #355
Closes #368
Closes #215
Closes #150

  • link to the point in the spec where this is being used
  • add metadata
  • discuss if we need cnf claim
  • discuss whether OpenID4VCI wants to specify how to use DPoP with key attestation
  • update Security Consideration section for key attestation
  • discuss whether expiration of key attestation and expiration of key is the same or different
  • add text about Level of assurance and attack potential resistance
  • explain difference between two usages
  • new proof type that contains mandatory keyattestation with nonce
  • https://github.com/openid/OpenID4VCI/pull/389/files#r1797063233
  • tuning key_type and user_authentication values
  • provide initial values for apr and improve the description
  • provide better explanation/references for key_type
  • relax proof/proofs (doesn't have to be a Pop)

@paulbastian paulbastian marked this pull request as draft September 6, 2024 16:53
c2bo
c2bo reviewed Sep 10, 2024
View reviewed changes
Copy link
Member

@c2bo c2bo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like it as a first draft and added some general comments.

General question: The plan would be to describe the overall mechanism in an Appendix and reference in Credential Endpoint (additional parameter for a Credential Request) and in Credential Issuer Metadata (to signal this is required for specific credential configurations)?

paulbastian
paulbastian commented Sep 10, 2024
View reviewed changes
peppelinux
peppelinux reviewed Sep 11, 2024
View reviewed changes
Copy link
Member

@peppelinux peppelinux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good one @paulbastian , I support and follow this work, thank you

@paulbastian @peppelinux
Apply suggestions from code review
feced43 
Co-authored-by: Giuseppe De Marco <demarcog83@gmail.com>
@Sakurann
Copy link
Collaborator

Sakurann commented Sep 19, 2024

Is it possible to add description to the PR what this PR does and which issues it touches upon? thank you

Sakurann
Sakurann reviewed Sep 19, 2024
View reviewed changes
Sakurann
Sakurann reviewed Sep 19, 2024
View reviewed changes
Sakurann
Sakurann reviewed Sep 19, 2024
View reviewed changes
Sakurann
Sakurann reviewed Sep 19, 2024
View reviewed changes
Sakurann
Sakurann reviewed Sep 19, 2024
View reviewed changes
Sakurann
Sakurann requested changes Sep 19, 2024
View reviewed changes
Copy link
Collaborator

@Sakurann Sakurann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my big question to this PR is where in the request do I put this key attestation needs to be defined, no?

@peppelinux peppelinux mentioned this pull request Sep 19, 2024
Open
@andprian
Copy link

andprian commented Sep 20, 2024
edited
Loading

I had the same question as @Sakurann as to where to put the key attestation. Moreover, if one attestation contains a list of keys, how can we provide one PoP for each key, and how to figure out which PoP corresponds to which key in the keys array.

andprian
andprian reviewed Sep 20, 2024
View reviewed changes
@paulbastian @c2bo
Update openid-4-verifiable-credential-issuance-1_0.md
56e26fc 
Co-authored-by: Christian Bormann <8774236+c2bo@users.noreply.github.com>
paulbastian
paulbastian commented Sep 20, 2024
View reviewed changes
andprian
andprian reviewed Sep 23, 2024
View reviewed changes
paulbastian
paulbastian commented Sep 23, 2024
View reviewed changes
paulbastian
paulbastian commented Sep 23, 2024
View reviewed changes
paulbastian
paulbastian commented Sep 23, 2024
View reviewed changes
paulbastian
paulbastian commented Sep 23, 2024
View reviewed changes
peppelinux
peppelinux reviewed Nov 14, 2024
View reviewed changes
peppelinux
peppelinux reviewed Nov 14, 2024
View reviewed changes
peppelinux
peppelinux reviewed Nov 14, 2024
View reviewed changes
peppelinux
peppelinux reviewed Nov 14, 2024
View reviewed changes
peppelinux
peppelinux reviewed Nov 14, 2024
View reviewed changes
peppelinux
peppelinux reviewed Nov 14, 2024
View reviewed changes
peppelinux
peppelinux reviewed Nov 14, 2024
View reviewed changes
peppelinux
peppelinux approved these changes Nov 14, 2024
View reviewed changes
Copy link
Member

@peppelinux peppelinux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have provided additional comments, some editorial and others requesting further clarification for the readers. I can approve this regardless, as it appears to be very well done to me.

bj-ms
bj-ms approved these changes Nov 14, 2024
View reviewed changes
Copy link

@bj-ms bj-ms left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just added a comment about identifiers in key attestation JWTs, otherwise I find it to be a good extension to the specification!

openid-4-verifiable-credential-issuance-1_0.md
Comment on lines +2330 to +2331
"iss": "<identifier of the issuer of this key attestation>",
"iat": 1516247022,
Copy link

@bj-ms bj-ms Nov 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't that an information that we could get from the key attestation certificate from the key storage/WSCD, if necessary?

I would expect a wallet to already have an internal mapping with identifiers between key attestation jwts and the location where the key resides.

@paulbastian @peppelinux
Apply suggestions from Giuseppe
af74417 
Co-authored-by: Giuseppe De Marco <demarcog83@gmail.com>
pmhsfelix
pmhsfelix reviewed Nov 14, 2024
View reviewed changes
pmhsfelix
pmhsfelix approved these changes Nov 14, 2024
View reviewed changes
paulbastian
paulbastian commented Nov 14, 2024
View reviewed changes
paulbastian
paulbastian commented Nov 14, 2024
View reviewed changes
paulbastian
paulbastian commented Nov 14, 2024
View reviewed changes
paulbastian
paulbastian commented Nov 14, 2024
View reviewed changes
Sakurann
Sakurann reviewed Nov 14, 2024
View reviewed changes
paulbastian
paulbastian commented Nov 14, 2024
View reviewed changes
openid-4-verifiable-credential-issuance-1_0.md Outdated
Comment on lines 2292 to 2294
There are two ways to convey key attestations during Credential issuance:
- The Wallet uses the `jwt` proof type in the Credential Request to create a proof of possession of the key and adds the key attestation in the JOSE header as specified in (#jwt-proof-type).
- The Wallet uses the `attestation` proof type in the Credential Request with the key attestation without a proof of possession of the key itself as specified in (#attestation-proof-type).
Copy link
Contributor Author

@paulbastian paulbastian Nov 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

todo: move this part to the proof type section

@Sakurann Sakurann mentioned this pull request Nov 18, 2024
Open
This was referenced Nov 19, 2024
Closed
Open
@Sakurann Sakurann merged commit 2555d4e into main Nov 19, 2024
2 checks passed
@berendsliedrecht berendsliedrecht mentioned this pull request Jan 15, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pmhsfelix pmhsfelix pmhsfelix approved these changes

@peppelinux peppelinux peppelinux approved these changes

@Sakurann Sakurann Sakurann approved these changes

@tplooker tplooker tplooker approved these changes

@ve7jtb ve7jtb Awaiting requested review from ve7jtb

@jogu jogu Awaiting requested review from jogu

@martijnharing martijnharing Awaiting requested review from martijnharing

@bc-pi bc-pi Awaiting requested review from bc-pi

@ju-cu ju-cu Awaiting requested review from ju-cu

@andprian andprian Awaiting requested review from andprian

@awoie awoie Awaiting requested review from awoie

@UBaggeler UBaggeler Awaiting requested review from UBaggeler

@sorotokin sorotokin Awaiting requested review from sorotokin

@c2bo c2bo Awaiting requested review from c2bo

@OR13 OR13 Awaiting requested review from OR13

@nemqe nemqe Awaiting requested review from nemqe

@tlodderstedt tlodderstedt Awaiting requested review from tlodderstedt

@danielfett danielfett Awaiting requested review from danielfett

+1 more reviewer

@bj-ms bj-ms bj-ms approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone